Search
Content type: Examples
After developing software that automatically recognises cookie banners that do not comply with the GDPR (usually because they do not provide a clear one-click option to reject all non-essential cookies), noyb has sent over 500 complaints to companies they consider non-compliant and given them a one-month grace period to change their practices. Along with the complaints, noyb provides a step-by-step guide on how to comply. They intend on generating over 10,000 complaints in this way in the…
Content type: Examples
The Irish Council for Civil Liberties (ICCL) has filed a lawsuit in Hamburg against three AdTech industry trade bodies including the Interactive Avertising Bureau (IAB). Members of the IAB include big tech companies (Google, Facebook, Amazon, Twitter...), data brokers (Equifax, Experian, Acxiom...) and advertising agencies (Groupm, Publicis, IPG...).
The lawsuit follows the filing in 2018 of complaints with the Irish Data Protection Commission (DPC) and UK Information Commissioner (ICO), which…
Content type: Examples
Sidestepping the need to obtain a search warrant, the US Department of Homeland Security (DHS) has been accessing smartphone location data by buying it from private marketing that typically embed tracker in apps. This data, which maps the movement of millions of cellphones in America, was collected from ordinary cellphone apps, to which users gave access to their location. In this particular instance, it was used by the DHS to search for undocumented immigrants according to the Wall Street…
Content type: Examples
Civil society organisations Civil Liberties union for Europe, Open Rights Group and Panoptykon Foundation have filed complaints against Google and Interactive Advertising Bureau (IAB) member companies in Croatia, Cyprus, Greece, Malta, Portugal and Romania.
The complaints address privacy abuses arising from real-time bidding processing, and call on data protection authorities to work together in investigation the real-time bidding industry.
Content type: Examples
French data protection regulator CNIL fined Google and Amazon €100 million and €35 million respectively for breaches of the French Data Protection Act. The CNIL found that the French websites of Google and Amazon had not sought the prior consent of visitors before advertising cookies were saved on computers, and failed to provide clear information to users as to how they intended to make use of online trackers and how to refuse any use of cookies.
In relation to Google, the CNIL made an…
Content type: Examples
After a two year investigation into credit referencing agencies (CRAs) Experian, Equifax and TransUnion - initiated in part pursuant to a complaint filed by PI against Equifax and Experian in November 2018 - the ICO has published a report finding "widespread and systemic data protection failings" in the data broking sector. Pursuant to its investigation, the ICO issued an enforcement notice against Experian, requesting the company to achieve compliance with data…
Content type: Examples
noyb filed a complaint against address broker AZ Direct Österreich GmbH after it refused to provide information on the origin and recipients of data processed.
The address broker, in a response to a data subject access request, claimed not to know where the residential address of the data subject – which it had on file – had come from. Similarly, AZ Direct failed to provide a detailed reply regarding the recipients of the data, and simply provided possible categories of recipients.
Content type: Examples
PI filed a complaint against health website Doctissimo with the French data protection authority (CNIL) after our research found that Doctissimo engaged in programmatic advertising, and shared the results of online depression tests taken on its platform with third parties.
The complaint argues, among others, that Doctissimo had no lawful basis for the processing of personal data as the requirements for valid consent are not met, and that it does not comply with the Data Protection Principles…
Content type: Examples
The Norwegian Consumer Council (Forbrukerrådet) and noyb filed three formal complaints against Grindr and ad tech companies that were receiving personal data through the app: Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.
The complaint followed an investigation carried out by the Norwegian Consumer Council which found that the online advertising industry was “systematically breaking the law”, transmitting personal data and tracking users in ways that are banned under the…
Content type: Examples
In a sharp drop from the beginning of Canada's lockdown, after two months only one in six Canadians left their home on weekends compared to one in three at the beginning. The marketing company Environics Analytics compiled the report by analysing a database of anonymised location data from 2.3 million mobile phones and looking for people who went at least 100 metres beyond their home postal code for a minimum of 30 minutes on at least one weekend day, and used demographic information tied to…
Content type: Examples
The US Centers for Disease Control and Prevention, in conjunction with local and state governments, are using location data collected by the mobile advertising industry from millions of cellphones in order to better understand how Americans are moving during the COVID-19 pandemic and how those movements affect the spread of the disease. The goal is to create a portal that federal, state, and local officials can use to study geolocation from up to 500 US cities and see which retail…
Content type: Examples
In a widely circulated animated heat map, the geospatial visualisation company Tectonix GEO in partnership with the location technology company X-Mode used the secondary locations of anonymised mobile devices that were active on a single beach in in Ft Lauderdale, FL during spring break to show how the beach-goers fanned out across the US afterwards, potentially carrying infection with them. Although the visualisation was instructive in showing how contagion spreads, it was unclear whether any…
Content type: Examples
GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry. This week marks one year since the introduction of the GDPR.
The new complaints have been filed by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (…
Content type: Examples
Simultaneous complaints have been filed with European data protection authorities against Google and other ad tech firms. The complainants are being made by Dr Johnny Ryan of Brave, the private web browser, Jim Killock, Executive Director of the Open Rights Group, and Michael Veale of University College London. The complaint notifies European regulators of a massive and ongoing data breach that affects virtually every user on the web.
Content type: Examples
Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave, by filing a new complaint in Poland. Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad…
Content type: Examples
The Irish Data Protection Commission has today launched an inquiry into the data practices of ad-tech company Quantcast, a major player in the online tracking industry. PI's 2018 investigation and subsequent submission to the Irish DPC showed how the company is systematically collecting and exploiting people's data in ways people are unaware of. PI also investigated and complained about Acxiom, Criteo, Experian, Equifax, Oracle, and Tapad.
Content type: Examples
Privacy International has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK. It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect. Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent…
Content type: Examples
Dr Johnny Ryan filed a formal complaint with the Irish Data Protection Commission against IAB Europe, the tracking industry’s primary lobbying organization. The complaint was filed against IAB Europe’s use of an unlawful “cookie wall” on its website. Visitors to IAB Europe’s website, www.iabeurope.eu, are forced to accept tracking by Google, Facebook, and others, which may then monitor them.
Content type: Examples
In November 2018, the criminal hacker group 3ve found a new way of exploiting security weaknesses in the Border Gateway Protocol that allowed them to take control of IP addresses belonging to the US Air Force and other reputable organisations; the result was to net them $29 million in fraudulent advertising revenue. The scheme involved a thousand servers that impersonated human beings viewing ads on bogus pages run by 3ve; to camouflage the origins of the traffic the page requests were…
Content type: Examples
A startling amount of the internet is fake in one way or another, studies found in 2018. Less than 60% of web traffic is human; a 2013 study found that at least half of YouTube traffic was bots masquerading as people; in November 2018 the US Justice Department revealed that eight people were accused of stealing $36 million in digital advertising fraud that involved sending fake traffic to spoofed websites which were made to look to advertisers like premium publishers. Also fake in at least some…
Content type: Examples
In 2018, the digital marketing company Tell All Digital began marketing technology to personal injury law firms to enable them to send mobile ads to patients they know are waiting for treatment in an emergency room and for up to a month afterwards. The technology relies on geofencing, a technique for targeting people in a specific location using a phone ID derived from wi-fi, cell data, or GPS apps. Under the US Health Information Portability and Accountability Act, this type of targeting is…
Content type: Examples
In 2018, the French company Criteo formed a partnership with AgilOne to identify and link customer behaviour across multiple online and offline channels. The service is intended to make the ads consumers see more relevant, but also stop showing them ads for products they've already bought in offline stores. AgilOne provides the feed of customer data to Criteo; Criteo's platform uses the information to decide to target or suppress ads.
https://www.mediapost.com/publications/article/323465/…
Content type: Examples
In 2017 the Electronic Privacy Information Center filed a complaint with the US Federal Trade Commission asking the agency to block Google's Store Sales Measurement service, which the company introduced in May at the 2017 Google Marketing Next event. Google's stated goal was to link offline sales to online ad spending. EPIC argued that the purchasing information Google collected was highly sensitive, revealing details about consumers purchases, health, and private lives, and that Google was…
Content type: Examples
Princeton University's WebTap - Web Transparency and Accountability - project conducts a monthly automated census of 1 million websites to measure tracking and privacy. The census detects and measures many or most of the known privacy violations researchers have found in the past: circumvention of cookie blocking, leakage of personally identifiable information to third parties, Canvas fingerprinting, and many more. The research also examines the effect of browser privacy tools and cookie…
Content type: Examples
In 2016, the US Federal Trade Coimmission issued a warning to app developers that had installed Silverpush, software that uses device microphones to listen for audio signals inaudible to the human ear that identify the television programmes they are watching. Nonetheless, similar technology continued to spread. In 2017, software from the TV data collection startup Alphonso, began to spread. As many as 1,000 gaming, messaging, and social apps using Alphonso's software, some of them aimed at…
Content type: Examples
In 2016, researchers discovered that the personalisation built into online advertising platforms such as Facebook is making it easy to invisibly bypass anti-discrimination laws regarding housing and employment. Under the US Fair Housing Act, it would be illegal for ads to explicitly state a preference based on race, colour, religion, gender, disability, or familial status. Despite this, some policies - such as giving preference to people who already this - work to ensure that white…